Courageous Security: Lessons from a Nazi Resistance Fighter

During my time at Amazon, I was indoctrinated with Amazon’s Leadership Principles. One of my favorites was “Have Backbone; Disagree and Commit.” It encourages people to respectfully challenge decisions when they disagree, even when doing so is uncomfortable.

‍

Over the holiday break, I had the privilege of meeting Werner Sommerfeld, a living embodiment of this principle, showing unshakable courage in the face of immense adversity.

Werner Sommerfeld

Werner’s Story

Werner grew up in Hamburg, Germany and witnessed firsthand the rise of Nazism. He was just 11 years old when his friend, Helmuth Hübener, became the youngest person executed as part of the German Nazi resistance.

‍

At 95, Werner still stands for justice. A Ukrainian flag hangs in his window, a simple yet powerful protest against oppression. Inside his modest home, he recounted stories of resistance—of his mother’s friendship with Helmuth, of the Jewish man barred from his church, and of Helmuth’s final letter before his execution. Werner’s resilience is a reminder that having a backbone often comes at great personal cost.

‍

Advocating for Your Customers

In product security, we often face moments where we must choose between advocating for customers and staying silent. While the stakes are far from those Werner faced, the courage to act—even when it’s uncomfortable—is still essential.

‍

Most security engineers know of at least one “skeleton in the closet.” Perhaps it’s an unencrypted database of customer data or a vulnerable legacy system. If customers knew about these issues, their trust would be destroyed. Advocating for improvements can be hard, especially when it might affect your career.

‍

Unfortunately, history shows us that when people are uncertain how to respond to a challenging situation, they default to doing nothing. Here are three steps you can use to effectively advocate for your customers:

‍

Step 1: Lead With Data

You don’t want to be perceived as “just being difficult.” Data provides an objective foundation for your argument. Metrics like these can support your case:

‍

- Number of users impacted by a vulnerability.

- Historical costs of similar breaches (e.g., fines, downtime).

- Potential revenue impact due to sales pipeline and future revenue.

‍

The most compelling evidence often comes from red team exercises that prove the exploitability of an issue. However, even strong data needs to be framed correctly.

‍

Step 2: Frame Risks in Business Terms

Decision-makers prioritize business objectives. Translate security risks into financial, reputational, or operational impacts. Instead of saying, “This system is vulnerable,” explain, “This vulnerability could expose customer data, leading to regulatory fines of $X and damaging our ability to sign new clients.”

‍

Real-world examples or case studies—like breaches at similar companies—can make your case more relatable. But avoid overusing fear tactics; you don’t want to be dismissed as a Chicken Little. For a deeper dive into avoiding this perception while advocating for security, check out my previous article: From Chicken Little to Chuck Norris.

Step 3: Propose Compensating Controls

Early in my career, I disliked the term “compensating controls,” seeing it as a shortcut for passing audits. I’ve since realized the value of proposing pragmatic solutions that align with business goals. Start by assessing whether you can detect and respond to the risk you’re highlighting. Prioritize critical components while planning a phased rollout for less critical ones—and ensure these plans have assigned names and dates.

Bonus: Protect Yourself

Advocating for security can be risky. Here are ways to safeguard yourself:

Document Everything: Follow up verbal discussions with email summaries. Stay professional and avoid snarky comment
Align With Allies: Partner with teams like Legal or Compliance, as they often share concerns about security risks and can help reinforce your case.
Seek Independent Legal Counsel: Company lawyers protect the organization, not necessarily you. Independent counsel ensures your rights are prioritized.

Finally

Advocating for secure products requires backbone. By leading with data, framing risks in business terms, and offering pragmatic solutions, you can make meaningful progress without alienating stakeholders. Protecting customer trust and privacy is worth the effort.

Diving Deeper

Subscribe to the Newsletter

Join other product security champions getting deep dives delivered to their inbox for free every Tuesday.

I agree to terms & conditions provided by the company. By providing my email. I agree to receive email messages from Mission InfoSec.